How do I get opendkim to sign emails?

1

I am running on a ubuntu 14.04 VPS and am having trouble getting opendkim to sign outgoing emails.

Also, I do not understand the results from dig -x, and I'm not sure my VPS provider entered the rDNS PTR record correctly. Here are the results returned:

$  dig -x 84.200.17.129

; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> -x 84.200.17.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38970
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;129.17.200.84.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
129.17.200.84.in-addr.arpa. 10799 IN    CNAME   129.0-255.17.200.84.in-addr.arpa.
129.0-255.17.200.84.in-addr.arpa. 10799 IN PTR  ozarksneighborlyexchange.com.

;; Query time: 273 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 25 07:13:48 CDT 2016
;; MSG SIZE  rcvd: 121

I know for example that CNAME is an alias. I expected a PTR for my domain and IP, but they seem to have only added a CNAME record. The PTR record pertains to the providers entire IP range. From what I've read CNAME records don't hold much weight for verification purposes. The score on mail-tester.com did improve from 3/10 to 4.5/10 after the CNAME was added tho.

As for the opendkim signing problem, I followed this guide: https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/ and enabled extended logging with:

# Log to syslog
Syslog                  yes
LogWhy                  yes
SyslogSuccess           yes
MilterDebug             3

I see the following in the logs for a simple email to mail-tester.com:

Mar 25 11:49:35 seed05 opendkim[10983]: D05F140793: no signing domain match for 'seed05.ozarksneighborlyexchange.com'
Mar 25 11:49:35 seed05 opendkim[10983]: D05F140793: no signing subdomain match for 'seed05.ozarksneighborlyexchange.com'
Mar 25 11:49:35 seed05 opendkim[10983]: D05F140793: no signature data

I am also a bit confused about the role subdomains play in this. I set my VPS hostname to seed05, and added this line to my /etc/hosts file: 84.200.17.129 seed05.ozarksneighborlyexchange.com seed05

I am not sure what if anything needs to be added to my DNS that relates to a subdomain. I currently have 2 "A" records and 2 "TXT" records defined: A @ A www TXT @ v=spf1 a include:_spf.ozarksneig..... (for SPF, which seems OK) TXT mail._domainkey v=DKIM1; p=MIGfMA0GCS...... (tools seem to say this OK)

I have added postfix to the opendkim group. I see lots of references to inet but inetd is deprecated and I can't find info on how the replacement for it is configured (for example where port 8891 is defined for smtp / postfix).

So as you can see I have several points of confusion despite spending all day trying to get email to be sent more reliably. Would greatly appreciate any input / answers to this. Thx!

motech man

Posted 2016-03-25T12:52:50.253

Reputation: 51

Answers

1

For the PTR record in the reverse-mapping space, what they have there is fine. It's following RFC2317 which is a current Best Practice for delegating control of DNS records for networks smaller than /24. Just that what they have just seems to be a little unnecessary since the "range" notation is 0-255 which implies a /24 network size (but there is a delegation off to another server -- dig ns 0-255.17.200.84.in-addr.arpa )

So that part is fine, so long as your mail server is claiming to be ozarksneighborlyexchange.com in the EHLO exchange. But it really needs to be seed05.ozarksneighborlyexchange.com according to the rest of your post, i.e., it needs to be what your mail server knows itself to be (myhostname statement in your Postfix main.cf file)

Getting OpenDKIM working is as simple as setting up the signing keys, then telling Postfix to use it as a "milter" on outbound mail. The inet part is confusing you, that's referring to the transport mechanism, not the old inted daemon.

Here's my OpenDKIM conf file, modified for you: /etc/opendkim.conf

(the part I'm guessing is wrong is the Domain line... you want to use the domain part of your email addresses, user@domain.com, so if the domain part is ozarksneighborlyexchange.com for you, that's what goes in the DKIM configuration and determines what goes into DNS...) 

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain                 ozarksneighborlyexchange.com
KeyFile                 /etc/postfix/dkim.key
Selector                general

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no
#ADSPDiscard            no

This assumes you generated the DKIM key called 'dkim', so you have a dkim.key and a dkim.pub file in your /etc/postfix directory. Adjust as necessary.

The next part is to tell the OpenDKIM where to listen. I use an Internet-type socket (inet) on the same machine as Postfix, so I have this in /etc/default/opendkim :

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
#SOCKET="local:/var/run/opendkim/opendkim.sock" # default
SOCKET="inet:60001@localhost"

Then in the Postfix configuration, tell it where to find it and use it as a "milter".

In /etc/postfix/main.cf:

smtpd_milters = inet:localhost:60001
milter_default_action = accept

And the last piece is to put your public key in DNS so others can validate your signatures. In my case, my email address is milli@acmeps.com, so I have acmeps.com as the domain in the opendkim.conf file, then in DNS, I have:

general._domainkey      TXT     "v=DKIM1\; k=rsa\; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsnvxDB629MQXlcEMxgJIj18oH0BP5i02+v" "e3acN7yJ+n+smkMHUtaXSnSU2KN0ObySjkafUD93L1dL4KtafAKwE5gWSRbxrMBwWjwcmNgiCmtELbzt" "azlK8N6bbm2R1e7csUfHaFScSC5Lu+UD8JrFeovWfNCSpmV/kyrIlTTArNLK3R7mad4MmOZo/Agj9JRg" "0fa+cKCEl8Uo8RqY4xHX9fAlJTGT4MSvH3KEo9aL/tr7qZvcROA8dBaCLfdDnOqrBpfjFfZZSoCcYi6V" "bTKswYiAHABljoq5qhR7k+EdKv2Z+DRD2e2knld5kYXeMJXUENrZ2hYn4q25JEdET1TwIDAQAB"

You can see this with dig txt general._domainkey.acmeps.com.

Here you notice general showed up. That is the DKIM selector and needs to match in the opendkim.conf file and what you put in DNS. You didn't list what your selector is set to, but that's the other thing that'll bite ya.

This should get you over the hump!

milli

Posted 2016-03-25T12:52:50.253

Reputation: 1 682

Asked: 2016-03-25T12:52:50.253

Viewed: 2 785 times

Active: 2016-03-26T21:05:17.640